Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Three Exploit Kits Spreading Attacks for Recent Flash Player Zero Day

The Angler Exploit Kit is exploiting the latest Flash zero day and is moving Dridex banking malware. The Magnitude and Neutrino exploit kits have also integrated the 0day.

Update Exploits for the most recent Adobe Flash Player zero-day vulnerability have been integrated into the Angler, Neutrino and Magnitude exploit kits, and are leading compromised computers to different ransomware strains, banking malware, and a credential-stealing Trojan.

A French researcher who goes by the handle Kafeine told Threatpost that Neutrino has embedded a working exploit for CVE-2016-4117 while Magnitude has not fully implemented the exploit.

Kafeine this morning also confirmed that the Angler Exploit Kit has now integrated the same Flash zero day exploit. The Angler exploits, however, are dropping the Dridex banking Trojan. Dridex has primarily spread in spam and phishing emails, and used malicious macros embedded in Office documents to download the Trojan.

Kafeine said that Magnitude is firing exploits for Flash Player up to version 21.0.0.213, but the payloads are not executing, despite the presence of references to the vulnerable code. It could be that the exploit was not implemented correctly; Kafeine said that as of this morning the payloads were not working.

Detection rates on VirusTotal for the Neutrino exploit remains low, only five of 56 as of this morning.

Kafeine said today that in different passes with the exploit kit, he saw infection payloads that included CryptXXX, Cerber and DMA Locker ransomware, as well as the Gootkit Trojan.

Gootkit has also been integrated into the Angler Exploit Kit. Researchers at Cyphort said malvertising attacks were redirecting victims to Angler, which then downloads Bedep click-fraud malware and the Gootkit loader. Gootkit, which used primarily to steal online banking credentials, is loaded into memory and leaves no files on the victims’ machines.

One day after the emergency Flash update, FireEye published details on the attacks it discovered and privately disclosed to Adobe. In its report, FireEye said exploits were embedded in Office documents hosted on the attackers site, and a dynamic DNS domain was used to reference the document and payload. This allowed the attacks to spread via URL or email attachments.

FireEye said that the attacks worked against machines running Flash 21.0.0.196 and above; the exploits run shellcode, which downloads and executes a second shellcode that downloads and executes the malware and displays a decoy document to the victim. The malware also opens a backdoor and is capable of receiving new commands from the attackers.

The Magnitude EK, meanwhile, has been pushing Cerber ransomware almost exclusively. Researchers at Proofpoint discovered a previous Adobe Flash zero day a month earlier was integrated into Magnitude and Nuclear exploit kits. Nuclear was moving Locky ransomware onto victims’ machines; Locky was blamed for a number of high-profile infections at hospitals nationwide.

Cerber has been climbing the ranks of ransomware—along with CryptXXX—after FireEye said attackers have leveraging the same spam infrastructure used to spread the dangerous Dridex banking malware. Cerber has an annoying feature in which it uses text-to-speech technology to audibly read its ransom note to its victims.

This article was updated May 23 to reflect the addition of the Flash zero day into the Angler Exploit Kit.

Discussion

I have no idea what I just read I am a novice please tell me what to do and if this affects me there are many novice is novice users out there. Does this mean I need to delete Adobe my husband has it on his computer and laptop to so please let us know as soon as possible.

Hi D. O. Roberts, I am not an expert with zero day attacks but have read up quite a bit about them. I would recommend removing Adobe Flash from the system that you both use whether the system may be Macintosh, Linux or Windows. If you are in dire need of Flash ability I would recommend using Google Chrome which provides a security enhanced version of Flash that is available upon need.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.